Home Explore Help
Register Sign In
AFS
/
xdr-terraform-modules
2
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: 77f31a6f95
Branches Tags
xdr-terraform-m...
/
base
/
dns
/
private_dns_zone
/
main.tf

main.tf 2.4 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104 
  1. locals {
    2. 

  2.   first_vpc = var.vpcs[0]
    3. 

  3.   remaining_vpcs = [ for vpc in var.vpcs: vpc if vpc != local.first_vpc ]
    4. 

  4. 

  5.   other_partition = var.aws_partition == "aws-us-gov" ? "aws" : "aws-us-gov"
    6. 

  6. }
    7. 

  7. 

  8. # debug
    9. 

  9. #output remaining_vpcs {
    10. 

  10. #  value = local.remaining_vpcs
    11. 

  11. #}
    12. 

  12. 

  13. # Create the private zones
    14. 

  14. resource "aws_route53_zone" "private" {
    15. 

  15.   name = var.private_dns[var.aws_partition].name
    16. 

  16.   tags = merge(var.standard_tags, var.tags)
    17. 

  17. 

  18.   vpc {
    19. 

  19.     vpc_id = local.first_vpc
    20. 

  20.   }
    21. 

  21. 

  22.   # For the rationale here, see the notes at:
    23. 

  23.   # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/route53_zone_association
    24. 

  24.   #
    25. 

  25.   # tldr; We can't create without an association, but we can't add associations without changing this record.
    26. 

  26.   # So we add one, and then we add it again and ignore any further changes.
    27. 

  27.   lifecycle {
    28. 

  28.     ignore_changes = [vpc]
    29. 

  29.   }
    30. 

  30. }
    31. 

  31. 

  32. resource "aws_route53_zone_association" "associations" {
    33. 

  33.   for_each = toset(local.remaining_vpcs)
    34. 

  34. 

  35.   zone_id = aws_route53_zone.private.zone_id
    36. 

  36.   vpc_id  = each.value
    37. 

  37. }
    38. 

  38. 

  39. output "zone_id" {
    40. 

  40.   value = aws_route53_zone.private.id
    41. 

  41. }
    42. 

  42. 

  43. ###################################
    44. 

  44. # Resolver
    45. 

  45. resource "aws_route53_resolver_endpoint" "private_resolver" {
    46. 

  46.   name      = "xdr_private_dns_resolver"
    47. 

  47.   direction = "INBOUND"
    48. 

  48. 

  49.   security_group_ids = [ aws_security_group.resolver_security_group.id ]
    50. 

  50. 

  51.   dynamic "ip_address" {
    52. 

  52.     for_each = var.subnets
    53. 

  53. 

  54.     content {
    55. 

  55.       subnet_id = ip_address.value
    56. 

  56.     }
    57. 

  57.   }
    58. 

  58. 

  59.   tags = merge(var.standard_tags, var.tags)
    60. 

  60. }
    61. 

  61. 

  62. output dns_servers {
    63. 

  63.   value = [ for ipblock in aws_route53_resolver_endpoint.private_resolver.ip_address: ipblock["ip"] ]
    64. 

  64. }
    65. 

  65. 

  66. resource "aws_security_group" "resolver_security_group" {
    67. 

  67.   name        = "route53_resolver"
    68. 

  68.   description = "Allow DNS inbound traffic"
    69. 

  69.   vpc_id      = local.first_vpc
    70. 

  70. 

  71.   ingress {
    72. 

  72.     description = "DNS_UDP"
    73. 

  73.     from_port   = 53
    74. 

  74.     to_port     = 53
    75. 

  75.     protocol    = "udp"
    76. 

  76.     cidr_blocks = [ "10.0.0.0/8" ]
    77. 

  77.   }
    78. 

  78. 

  79.   ingress {
    80. 

  80.     description = "DNS_TCP"
    81. 

  81.     from_port   = 53
    82. 

  82.     to_port     = 53
    83. 

  83.     protocol    = "tcp"
    84. 

  84.     cidr_blocks = [ "10.0.0.0/8" ]
    85. 

  85.   }
    86. 

  86. 

  87.   egress {
    88. 

  88.     description = "DNS_UDP"
    89. 

  89.     from_port   = 53
    90. 

  90.     to_port     = 53
    91. 

  91.     protocol    = "udp"
    92. 

  92.     cidr_blocks = [ "10.0.0.0/8" ]
    93. 

  93.   }
    94. 

  94. 

  95.   egress {
    96. 

  96.     description = "DNS_TCP"
    97. 

  97.     from_port   = 53
    98. 

  98.     to_port     = 53
    99. 

  99.     protocol    = "tcp"
    100. 

  100.     cidr_blocks = [ "10.0.0.0/8" ]
    101. 

  101.   }
    102. 

  102. 

  103.   tags = merge(var.standard_tags, var.tags)
    104. 

  104. }
    105.